Originally from Soft Law in International Arbitration, Second Edition

PREVIEW PAGE

I. Purpose of the Protocol

The purpose of the ICCA-NYC Bar-CPR Cybersecurity Protocol for International Arbitration (the “Cybersecurity Protocol” or the “Protocol”) is twofold.

First, the Protocol is intended to provide a framework to determine reasonable information security measures for individual arbitration matters. That framework includes procedural and practical guidance to assess security risks and identify available measures that may be implemented.

Second, the Protocol is intended to increase awareness about information security in international arbitrations. This includes awareness of: (i) information security risks in the arbitral process, which include both cybersecurity and physical security risks;

(ii) the fact that reasonable information security is required by law in many jurisdictions;

(iii) the importance of information security to maintaining user confidence in the overall

arbitral regime; (iv) the essential role played by individuals involved in the arbitration in effective risk mitigation; and (v) some of the readily accessible information security measures available to improve everyday security practices.

II. Scope of the Protocol

(a) Application Beyond International Commercial Arbitrations

Although the Protocol has been drafted with international commercial arbitrations in mind, it may also be a useful reference for domestic arbitration matters and/or investor- state arbitrations, as well as mediations and other ADR procedures.

(b) Data Protection Issues

Information security and data protection issues are closely connected, largely because there is increasing regulation around the globe governing the processing of personal data. It is typical for data protection laws and regulations to mandate, among other things, that entities and individuals processing personal data implement reasonable information security measures. The ICCA-IBA Roadmap to Data Protection in International Arbitration (the “Roadmap”) is being launched concurrently with this 2022 edition of the Protocol. The Roadmap recognizes that adherence to the Protocol facilitates compliance with data protection legal regimes, such as the European Union General Data Protection Regulation (“GDPR”), which require reasonable information security. Readers may refer to the Roadmap for further guidance on the application of the data protection laws during an arbitration. The Protocol is intended to complement the Roadmap and other resources on data protection compliance by providing guidance in the arbitration context on: (i) the mitigation of information security risks and (ii) breach notification expectations and procedures. The Protocol recognizes that breach notification is one aspect to be considered when preparing an incident response plan for situations in which information security may have been compromised, and that notice expectations and procedures warrant special attention because whether a security incident (or “data breach” under the GDPR) constitutes a security breach triggering notice obligations (often on a very short timeline) will depend on applicable law. The Protocol does not supersede applicable legal or other binding obligations, and while implementation of the Protocol supports compliance with the security requirements imposed by data protection laws, it does not impact the many other requirements imposed by those laws.